[wp-trac] [WordPress Trac] #34327: Check for filesystem write permissions done based on ownership instead of actual filesystem permissions

WordPress Trac noreply at wordpress.org
Fri Oct 16 16:34:59 UTC 2015 

#34327: Check for filesystem write permissions done based on ownership instead of
actual filesystem permissions
----------------------------+-----------------------------
 Reporter:  Sling1          |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Filesystem API  |    Version:  4.3.1
 Severity:  normal          |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 For security reasons, I don't run my httpd/fpm processes as the same user
 that owns my web content. This gives problems when trying to do various
 things in Wordpress such as updating themes/plugins/translations etc.

 It all comes down to the function get_filesystem_method in wp-
 admin/includes/file.php, which bases the choice for direct filesystem
 access on the ownership of the filesystem resource(s) it's trying to
 access. Of course user ownership is not the only thing that can grant
 write permissions in the filesystem, the group owner and even things like
 ACL's can influence this.
 I see that for WP updates there has already been a 'hack' made which is
 $allow_relaxed_file_ownership but there seems to be no way to use the same
 criteria for all other actions.

 The core issue is that Wordpress bases its "Can I actually write files
 $here" decision not on the actual outcome of a filesystem action, but on
 assumptions about the file/directory owner being the sole factor in being
 able to write.

 Please either
 - allow a global 'allow_relaxed_file_ownership' setting, or
 - actually perform a filesystem write check
 so that people configuring their filesystem permissions properly don't
 need to lower their security in order to run Wordpress.

 Thanks!

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34327>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list